Signing AWS API Requests

When you send HTTP requests to AWS, you sign the requests so that AWS can identify
who
sent them. You sign requests with your AWS access key, which consists of an access
key ID and
secret access key. Some requests do not need to be signed, such as anonymous requests
to
Amazon Simple Storage Service (Amazon S3) and some API operations in AWS Security
Token Service (AWS STS) such as AssumeRoleWithWebIdentity.

Note

You need to learn how to sign HTTP requests only when you manually create them. When
you
use the AWS Command Line Interface (AWS CLI) or one of the AWS SDKs to make requests to AWS, these tools
automatically sign the requests for you with the access key that you specify when
you
configure the tools. When you use these tools, you don't need to learn how to sign
requests
yourself.

When Do You Need to Sign Requests?

When you write custom code to send HTTP requests to AWS, you need to include code
to
sign the requests. You might do this for the following reasons:

You are working with a programming language for which there is no AWS SDK.

You want complete control over how a request is sent to AWS.

You don't need to sign a request when you use the AWS Command Line Interface (AWS CLI) or one of the AWS
SDKs. These tools manage the connection details, such as calculating signatures,
handling request retries, and error handling. In most cases, they also contain sample
code,
tutorials, and other resources to help you get started writing applications that interact
with
AWS.

To prevent tampering with a request while it's in transit, some of the request
elements are used to calculate a hash (digest) of the request, and the resulting hash
value is included as part of the request. When an AWS service receives the request,
it
uses the same information to calculate a hash and matches it against the hash value
in
your request. If the values don't match, AWS denies the request.

Protect against potential replay attacks

In most cases, a request must reach AWS within five minutes of the time stamp in the
request. Otherwise, AWS denies the request.

Signing Requests

To sign a request, you first calculate a hash (digest) of the request. Then you use
the
hash value, some other information from the request, and your secret access key to
calculate
another hash known as the signature. Then you add the signature to the
request in one of the following ways:

Using the HTTP Authorization header.

Adding a query string value to the request. Because the signature is part of the URL
in this case, this type of URL is called a presigned URL.

Signature Versions

AWS supports two signature versions: Signature Version 4 and Signature Version 2.
You should use
Signature Version 4. All AWS services support Signature Version 4, except Amazon SimpleDB
which requires Signature Version 2.
For AWS services that support both versions, we recommend that you use Signature Version
4.

All AWS regions support Signature Version 4.

Javascript is disabled or is unavailable in your browser.

To use the AWS Documentation, Javascript must be enabled. Please refer to your browser's
Help pages for instructions.